A brute force attack (also known as brute force cracking) is the cyberattack equivalent of trying every key on your key ring and eventually finding the right one. 5% of confirmed data breach incidents in 2017 stemmed from brute force attacks.

Brute force attacks are simple and reliable. Attackers let a computer do the work – trying different combinations of usernames and passwords, for example – until they find one that works. Catching and neutralizing a brute force attack in progress is the best counter: once attackers have access to the network, they’re much harder to catch.




Types of Brute Force Attacks

The most basic brute force attack is a dictionary attack, where the attacker works through a dictionary of possible passwords and tries them all. Dictionary attacks start with some assumptions about common passwords to try to guess from the list in the dictionary. These attacks tend to be somewhat outdated, given newer and more effective techniques.

Recent computers manufactured within the last 10ish years can brute force crack an 8 character alphanumeric password – capitals and lowercase letters, numbers, and special characters – in about two hours. Computers are so fast that they can brute force decrypt a weak encryption hash in mere months. These kinds of brute force attacks are known as an exhaustive key search, where the computer tries every possible combination of every possible character to find the right combination.

Credential recycling is another type of brute force attack that reuses usernames and passwords from other data breaches to try to break into other systems.

The reverse brute-force attack uses a common password like “password,” and subsequently tries to brute force a username to go with that password. Since the password is one of the most common passwords in 2017, this technique is more successful than you might think.


Motives Behind Brute Force Attacks


Brute force attacks occur in the early stages of the cyber kill chain, typically during the reconnaissance and infiltration stages. Attackers need access or points of entry into their targets, and brute force techniques are a “set it and forget it” method of gaining that access. Once they have entered into the network, attackers can use brute force techniques to escalate their privileges or to run encryption downgrade attacks.

Attackers also use brute force attacks to look for hidden web pages. Hidden web pages are websites that live on the internet, but are not linked to other pages. A brute force attack tests different addresses to see if they return a valid webpage, and will seek out a page they can exploit. Things like a software vulnerability in the code they could use for infiltration – like the vulnerability used to infiltrate Equifax or a webpage that contains a list of usernames and passwords exposed to the world.

There is little finesse involved in a brute force attack, so attackers can automate several attacks to run in parallel to expand their options of finding a positive – for the – result.

How to Defend Against Brute Force Attacks




Brute force attacks need time to run. Some attacks can take weeks or even months to provide anything useful. Most of the defenses against brute force attacks involve increasing the time required for success beyond what is technically possible, but that is not the only defense.


  • Increase password length: More characters equal more time to brute force crack
  • Increase password complexity: More options for each character also increase the time to brute force crack
  • Limit login attempts: Brute force attacks increment a counter of failed login attempts on most directory services – a good defense against brute force attacks is to lock out users after a few failed attempts, thus nullifying a brute force attack in progress
  • Implement Captcha: Captcha is a common system to verify a human is a human on websites and can stop brute force attacks in progress
  • Use multi-factor authentication: Multi-factor authentication adds a second layer of security to each login attempt that requires a human intervention that can stop a brute force attack from success

The proactive way to stop brute force attacks starts with monitoring. Varonis monitors Active Directory activity and VPN traffic to detect brute force attacks in progress. We’ve got threat models that monitor lockout behaviors (often a sign that there’s a brute force attack underway), threat models that detect potential credential stuffing, and more – all designed to detect and prevent brute force attacks before the attack escalates.

It’s better to detect an attack in progress and actively stop the attack than it is to hope your passwords are un-crackable. Once you detect and stop the attack, you can even blacklist IP addresses and prevent further attacks from the same computer.